Cybersecurity Economics – Balancing Operational Security Spending

Stale Ekelund, Zilia Iskoujina

Research output: Contribution to journalArticle

21 Downloads (Pure)

Abstract

Purpose: The purpose of this paper is to demonstrate how to find the optimal investment level in protecting an organisation’s assets. Design/methodology/approach: This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics, such as value-at-risk (VaR), Monte Carlo simulation, exponential and Poisson probability distributions. Thereby it combines theory and empirical findings to establish a new approach to determining optimal security investment levels. Findings: The results indicate that optimal security investment levels can be found through computer simulation with historical incident data to find VaR. By combining various scenarios, the convex graph of the risk cost function has been plotted, where the minimum of the graph represents the optimal invest level for an asset. Research limitations/implications: The limitations of the research include a modest number of loss observations from one case study, and the use of normal probability distribution. The approach has limitations where there are no historical data available or the data has zero losses. These areas should undergo further research including larger data set of losses and exploring other probability distributions. Practical implications: The results can be used by leading business practitioners to assist them with decision making on investment to the increased protection of an asset. Originality/value: The originality of this research is in its new way of combining theories with historical data to create methods to measure theoretical and empirical strength of a control (or set of controls) and translating it to loss probabilities and loss sizes.

Original languageEnglish
Pages (from-to)1318-1342
Number of pages25
JournalInformation Technology & People
Volume32
Issue number5
Early online date27 Jun 2019
DOIs
Publication statusPublished - 7 Oct 2019

Keywords

  • Cybersecurity
  • Organization

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Library and Information Sciences

Fingerprint Dive into the research topics of 'Cybersecurity Economics – Balancing Operational Security Spending'. Together they form a unique fingerprint.

  • Cite this